network monitoring as a layer of security cs 691 advanced system security design
DESCRIPTION
Network Monitoring as a Layer of Security CS 691 Advanced System Security Design University of Colorado – Colorado Springs July 28 th 2009 Jeff Miller. Introduction. Overview - PowerPoint PPT PresentationTRANSCRIPT
UCCS - CS691 1
Network Monitoringas a Layer of Security
CS 691 Advanced System Security DesignUniversity of Colorado – Colorado Springs
July 28th 2009Jeff Miller
7/27/2009
UCCS - CS691 2
IntroductionOverview
“Your doctor is watching for danger signs as blood flows through vessels, valves and chambers of the heart, while your network monitoring systems are tracking data moving along cables and through servers, switches, connections and routers.”
– CIO magazineBasic Definition
A vital activity where one or more computers monitor network traffic, infrastructure devices, and other computer systems. The system notifies administrators with alerts (email, pager, cell phone, etc.) when a problem exists.
7/27/2009
UCCS - CS691 3
Introduction ContinuedWhat it is
A system that collects data and alerts the admin when other systems or services are unavailable, or when a predefined threshold is reached (system resources, bandwidth usage, etc.)
What it isn’tNetwork Monitoring is not an Intrusion Prevention
System (IPS) or Intrusion Detection System (IDS)Critical Availability
Always On – dedicated power, ePower (generator) ideal at a minimum battery backup system
7/27/2009
UCCS - CS691 4
Practical ApplicationSmart Grid Internet Service Providers (ISPs)Large CorporationsHospitalsMilitary NetworksEveryone!?! Why not?
7/27/2009
UCCS - CS691 5
Monitoring Techniques Passive
SNMP – Protocol for communicating – most basic and most popular Device based Limited information gathered Management Information Base (MIB) Monitor and Agents(s)
RMON – requires more expensive hardware (more cpu cycles, memory, etc.) Flow based Specific SNMP MIB Console and Probe(s)
Netflow – developed by CISCO – Juniper Network has JFlow Collector and probe(s)
Traffic Sniffers Active
Generate and injection of test packets into the network. Test data send to devices, servers, and or applications. Volume of traffic is fully adjustable.
Good way to test Service Level Agreements (SLAs)
7/27/2009
UCCS - CS691 6
SNMPManagement Information
Base (MIB)Hierarchical collection of
information that is accessed using SNMP
Comprised of managed objects
Follow Internet Engineering Taskforce (IEFT) and IEEE standards
7/27/2009
UCCS - CS691 7
MIB TreeExample: Oracle Database MIB
7/27/2009
UCCS - CS691 8
MIB Tree Example: 3Com NetworkDevice MIB
7/27/2009
UCCS - CS691 9
Monitoring via SNMP
7/27/2009
UCCS - CS691 10
BenefitsNo IDS, IPS, or Firewall guaranteed to prevent or detect all attacksThe more information we have about our network the easier we can
identify potential problems and get alerts when something bad happens
General Benefits Spot overloaded equipment before it can bring down a network Help determine employee productivity Identify weak wide-area-network links and other bottlenecks Measure latency or the delayed transfer of data Provides executives the ammo they need to justify network upgrades Prove SLA are being met
Security Considerations Detect anomalous internal traffic that might indicate a security threat
such as a DDOS attack Detect overloaded systems, crashed servers, lost network connections,
virus or malware infections, and power outages7/27/2009
UCCS - CS691 11
Network Monitoring SolutionsCommercial – hardware appliances, software solutions and
even outsourced service solutions (range from thousands to hundreds of thousands of dollars).HP OpenView – $$$CISCOWorks - $$$SolarWinds Orion - $$OpManager - $WhatsUpGold - $PRTG - $
Open Source - innovative, inexpensive, and numerous – everyone likes free! – (limited support – more difficult to setup)Nagios – (free with optional support license)MRTG
7/27/2009
UCCS - CS691 12
Test BedNagios 3.1.2
Open Source / GPL / FreeNetwork services like smtp, http, dns, and ftp can
be easily monitored without the use of client add-ons
3 Part SetupCorePlugins
NSClient++Add-ons
Perl scripts, MIB info, etc.
7/27/2009
UCCS - CS691 13
NSClient++NSClient++
Easily monitor hosts, devices, services, protocols, and applications with Nagios
7/27/2009
UCCS - CS691 14
Test BedNetwork Management System
Ubuntu Desktop 9.04Apache 2PHP 5GCC Compiler and development librariesGD graphics libraryNagios 3.1.2 source code - sourceforge
Sample Clients Linux Server, 2 XP Laptops, 1 Networked
Printer, 1 Linux Router/Switch
7/27/2009
UCCS - CS691 15
Test Bed Continued…
7/27/2009
UCCS - CS691 167/27/2009
UCCS - CS691 177/27/2009
UCCS - CS691 187/27/2009
UCCS - CS691 19
Linksys WRT54GS – DD-WRTCPU check
define command{ command_name check_linksys_cpu command_line $USER1$/check_snmp -H
$HOSTADDRESS$ -C public -o 1.3.6.1.4.1.2021.10.1.5.1 -u % - w 60 -c 70 }
RAM check define command{
command_name check_linksys_ram command_line $USER1$/check_snmp -H $HOSTADDRESS$ -C public -o 1.3.6.1.2.1.25.2.3.1.6.101 -u kb -w 27000 -c 28000 }
7/27/2009
UCCS - CS691 20
ConclusionNagios as a monitoring solution
Large company with a big budget - commercial product would be easy to configure and support
Small to medium size company with a limited budget and enjoy the flexibility to completely customize your solution consider Nagios or another OpenSource/GPL product Requires Linux knowledge Requires more in-depth configuration and possibly custom
coding to support specific devicesIn general I would recommend a monitoring solution
as an extra layer of security for any networkROI analysis – costs will drive the solution
7/27/2009
UCCS - CS691 21
References [1] CIO Magazine (5 Jun 2009) Network Monitoring Definition and Solutions. Retrieved Jul 13,
2009 from http://www.cio.com/article/133700/Network_Monitoring_Definition_and_Solutions [2] Ipswitch (14 Nov 2007) White Paper: THE VALUE OF NETWORK MONITORING: Why It’s
Essential to Know Your Network. Retrieved Jul 29, 2009 from http://www.whatsupgold.com/resources/whitepapers/Value_of_Network_Monitoring.pdf
[3] Landis +Gyr (2009) White Paper: Securing the Smart Grid: Gridstream Security Architecture. Retrieved June 6, 2009 from http://www.landisgyr.com/en/pub/home.cfm
[4] EMS Satcom (2008) Blue Force Tracking: System Nuances and EMS SATCOM’s Contributions. Retrieve Jul 20, 2009 from http://www.emssatcom.com/newsletters/2008/Nov/bus2.aspx
[5] Stanford SLAC (11 Mar 2001) Passive vs. Active Monitoring. Retrieved Jul 13, 2009 from http://www.slac.stanford.edu/comp/net/wan-mon/passive-vs-active.html
[6] TCPIP Guide (?) SNMP MIB Graphic. Retrieved Jul 29, 2009 from www.tcpipguide.com [7] HP Website [8] Wikipedia (27 Jul 2009) Comparison of network monitoring systems. Retrieved Jul 29, 2009
from http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems [9] Nagios (2009) Nagios. Retrieved July, 13 2009 from http://www.nagios.org/ [10] NSClient++ () Installing NSClient++. Retrieved July 23, 2009 from http://nsclient.org/nscp/ [11] Nagios () Nagios Quickstart Installation Guides. Retrieve July 23, 2009 from
http://nagios.sourceforge.net/docs/3_0/quickstart.html
7/27/2009